The risk score represents a score between 0 to 100 to help prioritize across your assets where a higher risk score is more severe. This risk score is assigned to the unified assets, consisting of one or many assets grouped together.
For a single unified asset, the risk score is calculated through 4 stages. At every stage, it is important to have as accurate scoring as possible. For each stage, we are looking at several data properties that have a certain weight, to get to the final risk score.
These are the stages for risk score calculations for a unified asset:
Across all vulnerabilities found for the assets within this unified asset, we select a limited amount for every severity tier (low, medium, high, and critical), preferring those that have known ransomware or exploit if more is found for any of the severity tiers.
Collect the number of vulnerabilities for each asset type (network, web application, devices, phishing simulation, awareness training, etc.) within this unified asset. Based on the amount, we will provide further weighting related to the scoring. There are certain limitations in place to avoid unfair weights, that cap the amount up to a certain level for each asset type.
- Properties of the assets are brought into the calculation to impact the final risk score further.
- The higher business impact that is set on an asset, the more weight it will have on the risk score. This value can be configured by the customer on assets.
- Is the asset a system (server) or a personal computer client? Servers impact the weight more compared to clients.
- Are known exploits or ransomware related to the vulnerabilities of an asset? This has a major impact and will make the risk score significantly higher.
- Is the asset internet-facing? If so, it will impact the weight more on the risk score compared to a completely internal asset. This is automatically identified but can be overridden manually on the asset.
Map the drafted raw scoring to a value between 0 to 100, which is the final risk score represented on the unified asset that is visible in Security Center.
The risk score algorithm prioritizes and ensures that assets are relatively differentiated based on all the properties taken into account from stages 1 to 3. This makes it easier for organizations to understand where the most risk is located and where to start prioritizing.
Risk scores are mapped to different colors to highlight the risk score as follows:
- Green: 1-10
- Yellow: 11-30
- Orange: 31-60
- Red: 61-100